IBM Security Services
IBM Security Services
- Penetration Testing -
July 15, 2014
©12014 IBM Corporation
© 2014 IBM Corporation
THE EVOLVING THREAT
LANDSCAPE
2
© 2014 IBM Corporation
IBM Security Services
Success in today’s dynamic, data driven global marketplace
requires effective enterprise IT security management
3
© 2014 IBM Corporation
IBM Security Services
Motivations and sophistication are rapidly evolving
Nation-state
actors, APTs
Stuxnet,
Aurora, APT-1
MOTIVATION
National Security,
Economic Espionage
Notoriety, Activism,
Defamation
Monetary
Gain
Nuisance,
Curiosity
Hacktivists
Lulzsec,
Anonymous
Organized crime
Zeus, ZeroAccess,
Blackhole Exploit Pack
Insiders, Spammers,
Script-kiddies
Nigerian 419 Scams, Code Red
SOPHISTICATION
4
© 2014 IBM Corporation
IBM Security Services
Security Incidents are rising: Data from the IBM 2014 Cyber Security
Index
Security events
Security attacks
Security incidents
Annual
91,765,453
Monthly
7,647,121
Annual
16,857
Monthly
1,405
Annual
109
Monthly
9
Weekly
1,764,121
Weekly
324
Weekly
2
Security Intelligence
Correlation and analytics
tools
Security Intelligence
Human security analysts
Events: up 12% year
on year to 91m
Attacks: Increased
efficiencies achieved
Incidents: up 22% year
on year
Observable
occurrences in a
system or network
More efficiency in security
processing to help clients
focus on identified
malicious events
Attacks deemed
worthy of deeper
investigation
Source: IBM Security Services 2014 Cyber Security Intelligence Index
5
© 2014 IBM Corporation
IBM Security Services
At the same time, according to Ponemon Institute, the cost of a
data breach to global organizations is on the rise
up 9%
$145
Average cost per
record compromised
up 15%
$3.5 million
Average total cost
per data breach
15% increase
year-to-year in rate of
customer churn
NEW DATA from the
2014 Ponemon Institute Cost of Data Breach
Study: United States, sponsored by IBM
www.ibm.com/services/costofbreach
6
© 2014 IBM Corporation
IBM Security Services
According to 2014 Ponemon Institute the average cost of a data
breach per record varies from country to country
In Italy the cost of data breach
increased from €95 in 2013 to €102 in
2014 for one compromised record
In Italy the total organizational cost of
data breach increased from €1.73
million to €1.93 million.
Source 2014 Ponemon Institute Cost of Data Breach Study: Italy
7
IBM Confidential
© 2014 IBM Corporation
IBM Security Services
What happens in Italy?
- Data from latest Clusit Report -
Hacktivism: Hacktivism is the act of hacking a website or computer
network in an effort to convey a social or political message. The person
who carries out the act of hacktivism is known as a hacktivist.
8
IBM Confidential
© 2014 IBM Corporation
IBM Security Services
IT Security is a board-room discussion
CEO
CFO/COO
Loss of market
share and
reputation
Legal exposure
Audit failure
Fines and criminal
charges
Financial loss
CIO
Loss of data
confidentiality,
integrity and/or
availability
CHRO
Violation of
employee privacy
CMO
Loss of customer
trust
Loss of brand
reputation
Increasingly, companies are appointing CROs and CISOs
with a direct line to the Audit Committee
9
Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series
© 2014 IBM Corporation
IBM Security Services
IBM provides unmatched global coverage and security awareness
10
© 2014 IBM Corporation
IBM Security Services
IBM has a commitment to security research, development,
monitoring & analysis
4,300 strategic
outsourcing security
delivery resources
1,200 professional
services security
consultants
650 field security
specialists
400 security operations
analysts
10 security research
centers
10 security operations
centers (SOCs)
14 security development
labs
11
IBM X-Force Expertise
•
150M intrusion attempts monitored daily
•
46,000 documented vulnerabilities
•
40M unique phishing/spam attacks
•
Millions of unique malware samples
•
Billions of analyzed web pages
•
1000+ security patents
Managed Services Excellence
•
Tens of thousands of devices under
management
•
Thousands of MSS clients worldwide
•
Billions of events managed per day
•
Countries monitored in all geographies
•
Industry-leading research and reports
© 2014 IBM Corporation
IBM Security Services
IBM is widely recognized as a leader in this market
Security Consulting
Managed Security
“IBM has the largest client base of the participants... Clients praised the flexibility, knowledge,
and responsiveness …while also noting the company’s excellent documentation. Organizations
looking for a high-quality vendor that can do it all and manage it afterwards should consider
IBM.”
Sources:
Forrester Research Inc. “Forrester WaveTM”: Information Security Consulting Services, Q1 2013 “
Forester Wave: Managed Security Services providers Q1, 2012.
12
© 2014 IBM Corporation
Penetration Test Overview
13
© 2014 IBM Corporation
IBM Security Services
IBM Secuity Services Portfolio Overview
= Channel Enabled
Built to address the Security Essentials, within context of the
integrated Security Framework
IBM Security Services Portfolio
Strategy, Risk & Compliance
Security Maturity
Benchmarking
Security Strategy &
Roadmap Development
Industrial Controls
Security Risk Assessment &
Program Design
(NIST, SCADA)
PCI Advisory
Cybersecurity Assessment & Response
Threat Intelligence Advisory
X-Force Threat Analysis
Penetration Testing
Incident Preparation
Emergency Response
Security Operations
Security Intelligence Operations Center Design & Build Out Services
People
Data
Applications
Identity
Assessment & Strategy
Crown Jewels Discovery & Protection
SDLC Program Development
Security Optimization
User Provisioning/Access Mgmt
Database Security
Dynamic and Static Testing
Design, Deployment & Migration
Total Authentication Solution
Encryption and
Data Loss Prevention
Embedded Device Testing
Managed/Cloud Identity
Infrastructure
Staff Augmentation
Mobile Application Testing
Cloud and Managed Services
Firewall / Unified Threat
Management
Intrusion Detection &
Prevention
Web Protection & Managed
DDoS
Hosted E-Mail & Web
Managed SIEM &
Vulnerability Mgmt
Log Management
Powered by IBM’s Next Generation Threat Monitoring and Analytics Platform
14
© 2014 IBM Corporation
IBM Security Services
Questo servizio effettua prove che mostrano le tecniche di attacco e
identificano i sistemi vulnerabili
Descrizione dei servizi:
 I servizi di penetration test dimostrano, per mezzo di scenari reali, il modo in
cui gli attaccanti possono impattare significativamente sul business.
 Durante delle prove controllate, i consulenti degli IBM Professional Security
Services (PSS) tentano di penetrare remotamente i dispositivi di rete e di
fornire l’evidenza che i sistemi e i dati critici possono essere compromessi.
 Si documentano le scoperture di sicurezza insieme alle soluzioni
raccomandate per eliminarle o contenerle.
 Al di là di un semplice assessment di vulnerabilità (scan), un penetration test
può mostrare l’impatto reale delle vulnerabilità piuttosto che indicare delle
debolezze teoriche.
Requisiti dei clienti
Soddisfare i requisiti normativi
15
Validare l’efficacia dei controlli
di sicurezza implementati
Aiutare a definire le priorità
degli investimenti di sicurezza
© 2014 IBM Corporation
IBM Security Services
I clienti comprendono meglio l’impatto di un attacco sul proprio
business e possono decidere di conseguenza le azioni a rimedio
I benefici del penetration test possono includere:
 La dimostrazione di come degli attaccanti possano
impattare in modo significativo sul business del Cliente
 La validazione dell’efficacia della attuali contromisure di
sicurezza del Cliente
 Estendere e approfondire la prospettiva sulle tecniche e le
motivazioni degli hacker
 Incoraggiare il supporto del top management alla strategia
e alle risorse di sicurezza
 Identificare la azioni raccomandate per ridurre
efficacemente il rischio
 Facilitare la gestione della conformità alle normative
industriali e statali
16
© 2014 IBM Corporation
IBM Security Services
Penetration Test Activities
 Project Initiation
– The purpose of this activity is to finalize the project team members, develop a common understanding of the project
objectives, roles and responsibilities, and assess your readiness to implement the Services by confirming that the
appropriate information is documented.
 Network Discovery and Assessment
– The purpose of this activity is to identify active hosts and services within the target network range(s) and assess the
security posture of those systems.
 Network Attack and Exploitation
– The purpose of this activity is to attempt to exploit identified vulnerabilities and demonstrate the impact of those
vulnerabilities in terms of successful attack scenarios for the target network range(s), IP addresses, and in-scope
active Devices specified in the Schedule.
 Web Application Testing (Add-on)
– The purpose of this activity is to attempt to identify and exploit web application vulnerabilities and demonstrate the
impact of those vulnerabilities in terms of successful attack scenarios against in-scope websites.
 Internal Network Exploitation (Add-on)
– The purpose of this activity is to utilize discovered successful attacks to initiate mutually agreed upon breach scenarios
for the target network range(s).
 Network Vulnerability Assessment (Add-on)
– The purpose of this activity is to identify active host systems and associated services within the targeted network
range, assess such systems for known vulnerabilities, and evaluate the identified vulnerabilities.
 Onsite Internal Penetration Test (Add-on)
– The purpose of this activity is to attempt to investigate weaknesses in the internal network by mimicking malicious
behaviors that could be exhibited by a trusted user with access to the network.
17
© 2014 IBM Corporation
IBM Security Services
Penetration Test – Scope and Methodology
 Scope
–
–
–
–
Identify active services, their nature and the published services
Identify the current vulnerabilities
Analyze Web security exposures
Leverage the identified vulnerabilities to access the Client’s
systems and provide actual risks entity and evidence
– Document the possible countermeasures and exposures
resolutions
 Phases*
– Discovery: get an overview of the tested systems and their
usage
– Vulnerabilities assessment: perform network, host and port
mapping, run vulnerability scanners to identify any existing
network, operating system or service vulnerabilities, manual
vulnerability mapping, application testing.
– Penetration (or exploiting): exploit vulnerabilities found
– Keep access: ensure constant access to exploited systems
– Cover tracks: hide presence on exploited systems
– Final reports: Executive summary, Main Observations,
Vulnerabilities technical details, Recommendations
* Based on the scope of the engagement, the methodology can utilise all steps, a particular steps or a phase based approach
18
© 2014 IBM Corporation
IBM Security Services
Penetration Test - Typical Exploit Sequence
2) Crack local passwords
1) Exploit
3) Exploit
4) Next:
- crack passwords of
domain users
- Attack other domains
Vulnerable Server
Domain Controller
DOMAIN
COMPROMISED
Domain Systems
19
© 2014 IBM Corporation
IBM Security Services
Penetration Testing Summary
Solution Overview
IBM Penetration testing services perform safe and controlled exercises that demonstrate
covert and hostile attack techniques designed to identity vulnerable systems. It validates
existing security controls and quantifies real-world risks, providing clients with a detailed
security roadmap that prioritizes the weaknesses in the network environment.
Customer Pain Points
 Address and maintain security needs satisfying regulatory compliance
 Lack of skill and resources to build an efficient and effective security
program
 Needs to protect business critical data
 Maintain network and application availability during hostile activities typical of
malicious attackers
Helps to prevent network compromise and downtime by identifying
vulnerabilities, validating current safeguards and outlining steps for remediation
Raises executive awareness of corporate liability to emphasize the importance of
IT security efforts
Validates effectiveness of the security measures currently in place
Quantifies system and business critical data risk
Provides recommendations to resolve identified security vulnerabilities to
prevent network downtime.
Helps to protect integrity of online assets
Key Features
 Provides a detailed analysis of your
network security, including
demonstrated attacks and their effects
on your online operations
 Delivers a quality service designed to be
safely conducted by expert security
professionals, through manual
penetration techniques and automated
scanning
 Conducts real-life simulations of covert
and hostile activities typical of malicious
attackers’ attempts to compromise
perimeter devices and security controls
 Final reports show, for priorities,
identified risks and set out the elements
for immediate action to resolve identified
vulnerabilities
Supports efforts and investiments to reach and maintain compliancy with
security regulations and industry standards
20
© 2014 IBM Corporation
GRAZIE
21
© 2014 IBM Corporation